AI security incident: CVE-2025-66580 (NVD)
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue.
Impact
Severity HIGH. Confidence 89%. Source channel: NVD.
Recommended Response
- Validate whether your organization uses the affected AI tool, model, or integration path.
- Apply vendor patches or mitigations and restrict risky permissions until validated.
- Monitor logs for related indicators and document containment actions for compliance evidence.
Sources
Want alerts like this in real time?
Get notified with incident context, likely impact, and response guidance.
Get Notified